Posts by Didier Godart

1 min PCI

PCI Compliance Dashboard - New version including SANS Top20 Critical Security Controls

Hi, According to what we are hearing from the field, there are quite a big number out there of active users of this PCI Compliance Dashboard. Encouraged by your feedback and your assitance we worked on this new release. Among other great enhancements it encompasses references to the SANS Top 20 Critical Security Controls. A deeper analysis paper on PCI-SANS matching and deviation areas will follow but for now on, enjoy this new version of the PCI Compliance Dashboard. What's New? * Add a tabl

2 min

Your PCI Logbook - What is required in terms of log management?

P>D R is a well-known principle in security. It's a principle that means that the Protective measures in place must be strong enough to resist longer than the time required to Detect something wrong is happening and then React. For example, your door must be strong enough to prevent a malicious individual from getting in for at least the amount time required to detect the incident, alert the police, and have them arrive on site. In this context, log management [

4 min

Cyber attack ranked within the top 5 risks in terms of probability

“The more complex the system, the greater the risk of systemic breakdown, but also the greater the potential for opportunity” - Klaus Schwab Founder and Executive Chairman World Economic Forum. The World Economic Forum [] released their Global risks 2012 report, outlining the perceived impact, likelihood and interconnectedness of 50 prevalent global risks ranged in five risk categories:  economic, environmental, geopolitical, societal and technological. In this post I'

1 min

Can I use compensating controls to resolve vulnerabilities found during a scan?

Resolving vulnerabilities found during a scan before a passing scan result can be issued is not always immediately possible, and sometimes the only possible solution is the use of a Compensating Control. Compensating controls are not meant to be the de facto response to an identified vulnerability. Compensating controls may only be employed if a true technical limitation or business need prevents a vulnerability from being corrected. This is most commonly the case for zero-day vulnerabiliti

1 min PCI

What to do if your organization can't demonstrate four passing PCI internal or external scans

Two cases: 1) Your company is assessed for the first time: Entities participating in their first ever PCI DSS assessment are only required to demonstrate that the most recent scan result meets the criteria for a passing scan, and there are policies and procedures in place for future quarterly scans, to meet the intent of this requirement. So to be compliant with 11.2 the first time you are assessed, you only need to demonstrate that the most recent scan is a PASS. 2) Reassessment (from th